JavaCard: RSAPrivateKey.setModulus throws CryptoException.ILLEGAL_VALUE

Question

I am working on a JavaCard applet, and right now I have to calculate a modular exponential operation. I have been using a self-modified version of JCMathLib for this, which ultimately uses RSAPrivateKey to handle the operation, specifically in the file BigNat.java.. However, when I run this on my card, the line 291 throws a CryptoException with a reason code of ILLEGAL_VALUE.

The documentation for RSAPrivateKey.setModulus on JavaCard says that the method throws a CryptoException like this "if the input modulus data length is inconsistent with the implementation or if input data decryption is required and fails". I'm not certain, but I don't think input data decryption is required in this scenario, so I'm assuming that the modulus data length is "inconsistent with the implementation". However, I'm not sure what would be consistent with the implementation. Would anyone know what determines the correct modulus input length, and whether this length is measured in bits or bytes?

For reference, the modulus I want to use is, in its original form, 32 bytes long. The code pads it to 64 bytes (rm.MAX_EXP_LENGTH) with zeros (prepended) before passing it as the input to the setModulus call. That same length is given as the length argument. When the RSAPrivateKey object in question was built with KeyBuilder, it was given a length of 512 bits, which equals 64 bytes.

I have also attempted to pass 512 as the length argument in case the length is measured in bits, but this results in an IndexOutOfBoundsException, which indicates that it does indeed want bytes. I still want to ask to make sure, though.

Thank you in advance!

Answer 1

The RSA modulus is what defines the key size for RSA. So if you have a 512 bit private key and 64 bytes then the first / leftmost byte needs to be set to 0x80 or higher to indicate 2^511 or higher as these keys are actually between 2^511 and 2^512 - bit index is zero based after all.

Note that RSA assumes unsigned, big endian integer representations. Also note that different platforms may be more or less strict. Not all implementations will accept sizes that are considered unsafe (2k RSA keys are considered to have a 112 bit key strength, which is usually considered the real minimum key strength).

The length argument is indeed specified in bytes, even though the key length (or size) of the private key is indicated in bits. This is because only bytes can be directly addressed in memory.